CyberSec.Space Logo
Back to CVE Browser

CVE-2009-4509

CRITICAL
10.0
CVSS Severity Score
EPSS Score0.1950%
EPSS Percentile36.19th
PublishedApr 13, 2010
Last ModifiedApr 29, 2026

Vulnerability Description

The administrative web console on the TANDBERG Video Communication Server (VCS) before X4.3 uses predictable session cookies in (1) tandberg/web/lib/secure.php and (2) tandberg/web/user/lib/secure.php, which makes it easier for remote attackers to bypass authentication, and execute arbitrary code by loading a custom software update, via a crafted "Cookie: tandberg_login=" HTTP header.

Affected Platforms (CPE)

πŸ“¦
Vsecurity

Tandberg Video Communication Server

<= x4.2.1
πŸ“¦
Vsecurity

Tandberg Video Communication Server

= x1.0.0
πŸ“¦
Vsecurity

Tandberg Video Communication Server

= x1.1.0
πŸ“¦
Vsecurity

Tandberg Video Communication Server

= x1.2.0
πŸ“¦
Vsecurity

Tandberg Video Communication Server

= x2.0.0
πŸ“¦
Vsecurity

Tandberg Video Communication Server

= x2.1.0
πŸ“¦
Vsecurity

Tandberg Video Communication Server

= x3.0.0
πŸ“¦
Vsecurity

Tandberg Video Communication Server

= x3.1.0
πŸ“¦
Vsecurity

Tandberg Video Communication Server

= x4.1.0
πŸ“¦
Vsecurity

Tandberg Video Communication Server

= x4.2.0

References & Advisories

πŸ”— http://ftp.tandberg.com/pub/software/vcs/TANDBERG%20Video%20Communication%20Server%20Software%20Release%20Notes%20%28X4%29.pdf
πŸ”— http://secunia.com/advisories/39275
πŸ”— http://www.securityfocus.com/archive/1/510672/100/0/threaded
πŸ”— http://www.vsecurity.com/resources/advisory/20100409-1
πŸ”— http://ftp.tandberg.com/pub/software/vcs/TANDBERG%20Video%20Communication%20Server%20Software%20Release%20Notes%20%28X4%29.pdf
πŸ”— http://secunia.com/advisories/39275
πŸ”— http://www.securityfocus.com/archive/1/510672/100/0/threaded
πŸ”— http://www.vsecurity.com/resources/advisory/20100409-1

Related Vulnerabilities

CVE-2010-135610.0

Unspecified vulnerability on the TANDBERG Video Communication Server (VCS) before X5.0 allows remote attackers to execute arbitrar...

CVE-2009-45108.5

The SSH service on the TANDBERG Video Communication Server (VCS) before X5.1 uses a fixed DSA key, which makes it easier for remot...

CVE-2012-03317.5

Cisco TelePresence Video Communication Server with software before X7.0.1 allows remote attackers to cause a denial of service (de...

CVE-2010-13554.3

Cross-site scripting (XSS) vulnerability on the TANDBERG Video Communication Server (VCS) before X5.0 allows remote attackers to i...